How to bypass an immobilizer without a key: connection diagram for the immobilizer, why it is needed and what is a keyless bypass module for a standard device

Nowadays, cars with built-in immobilizers are increasingly common. The most common vehicles are those equipped with RFID (Radio Frequency Identification) and VATS (Vehicle Anti-Theft System). The point of immobilizers is that the car can only be started with the original key. That is, a key that is registered in the “brains” of the car (if the car is equipped with an RFID immobilizer) or a key that has the characteristics necessary to start the engine (for cars equipped with VATS). Simply put, you can’t start a car with a simple blank.

The first type of immobilizers (RFID) is found in most Asian and European cars. The second type of immobilizers (VATS) is found in almost all American-made cars.

What to do if you want to install a car alarm with auto start in your car, but the car has a built-in immobilizer!? We will not consider the option of installing Webasto or Gidronik liquid heaters - we don’t have 40-55 thousand rubles. Although, in fact, it is the installation of these heaters that I would recommend primarily to owners of expensive new cars.

This means that you need to somehow bypass the standard immobilizer .

RFID system immobilizer crawler

All crawlers of this type are similar in design and connection diagram. Essentially, this is an extension cord for reading a key/chip with the ability to turn this extender on and off. The alarm or device that directly starts the car engine is responsible for turning it on and off. Such an extension cord makes it possible to hide the key/chip deeper from the eyes and hands of unkind people, which significantly increases the protection of the car. The main difference between crawlers is the organization of control on and off. In one case, control occurs over the wire with a negative potential (with such control there is a danger that the thief, having found the alarm unit, emits the control of the lineman and bypasses the standard immobilizer as the alarm system does), and in the other case, control over the wire is carried out by a code message, which is more reliable protects the car from the possibility of theft (the thief will not be able to control the crawler, even if he got to the installed alarm system with auto start). The code crawler has Pandora and others.

Let's look at the operating principle of a simple immobilizer crawler. The crawler consists of 2 ring antennas, a built-in relay and a housing with connectors and a board where all this is located. Using two ring antennas, the immobilizer request signal and the chip’s response to the request are broadcast back and forth. One of the antennas is located next to the standard antenna, and the other wraps around the body of a hidden key with a chip inside the crawler. It is very important that the distance between the standard RFID antenna and the crawler antenna be kept to a minimum. The relay serves to connect these antennas during remote starting and disconnects them when the engine stops running or an alarm is triggered. The relay is controlled by two wires, one has +12V voltage (constant or when the ignition is turned on, it does not matter), the other serves to control the negative potential. When there is voltage at both ends of the relay coil, it turns on and with its contacts connects the wires of the rings, forming a closed circuit in which energy-information exchange occurs. The lineman connection diagram is shown in Figures Scheme 1 and Scheme 2.


Standard crawler connection. It is important that the distance between the standard RFID antenna and the antenna of the BP-2 module is minimal.	The circuit is recommended when the signal from the standard transponder key is weak. Cut off the connector at the end of the gray wires and connect the gray wires to the original immobilizer antenna circuit break. The module's loop antenna is not used in this circuit.

Varieties

Having made the final decision on the need to correctly activate the auto-start function of the alarm, you need to decide on the choice of an immobilizer crawler. You can deprive him of the ability to counteract the operating functions of the installed alarm in several ways:

completely disconnect the immobilizer from the car’s electronic circuit and forget about its existence, trusting the alarm system;
the right choice for machines that allow this;
you will have to forget about the manufacturer’s warranty obligations;
the theft process is simplified, since the immobilizer functions are disabled due to the constant presence of the ignition key on board the car;
All that is required from car thieves is correct technical knowledge of the car alarm being installed;
install a key version of the immobilizer bypass;
all alarm functions are retained with the ability to autostart;
the immobilizer's ability to prevent unauthorized engine starting is retained;
the car alarm owner has only one key left;
the problems of having one key have already been described in the previous section of the article;
the correct choice of installation option for the keyless version of the immobilizer crawler;
solves all the previously described shortcomings of immobilizer bypass modules;
both keys are in the hands of the car owner or the legal owner of the equipment;
significantly increase the cost of both the alarm device itself and its installation;

When choosing the right immobilizer bypass, you should coordinate the possibility of its adaptation to the model of the alarm being installed.

VATS system immobilizer bypass

Cars with the VATS system are equipped with an ignition key with a resistor built into it. Typically the resistor has a resistance of 390-11800 0m. The resistance of this resistor is individual for each car. To bypass such an immobilizer and start the car, you need to connect a resistor instead of a key to the VATS wires. In a car, the VATS wires are two wires coming out of the steering column area. Their color can be different: Two White wires or one Violet-White, and the other White-Black or Yellow and Orange-Black. These 2 wires are often encased in Orange, White or Black cambric.

First, we find the wires we need and cut any of them.
Then we measure the key resistance and find the value we need, and for this:
Turn the ignition key to the ignition position
We connect the multimeter with one probe to the cut wire that comes from the lock, and the second probe to the uncut wire.
We record resistance readings accurate to two decimal places
To quickly select the resistance, it is better to use a variable, multi-turn resistor. If you select constant resistors, then their error should not be more than 5% so that there are no problems with starting.
According to diagram A, we connect the resistor “selected” by us to the wires through the relay contacts. We connect the cut wire coming from the lock to the NC contact of the relay. We connect the other end of the cut wire to the Common contact of the relay. We connect the resistance we need at one end to the NR contact of the Relay, and at the other end to the uncut wire. We connect the relay winding at one end to +12 Volts, and the other end is connected to the alarm with control (-) to turn on the lineman.

VAG IMMO Emulator

This type of emulator works on the K-line of VAG category vehicles: Audi, Seat, Volkswagen, Skoda 1994-2001 with immobilizers like 1 and 2. It can completely emulate the operation of standard immobilizers. You need to remember that installing an immobilizer emulator reduces the degree of security of the vehicle.

The main purpose of the emulator is:

replacing a damaged piece of equipment;
during chiptuning, when the ECU is changed;
When you lose your key and need to restore the chip key, it is not possible.

Chipless immobilizer crawler

If regular crawlers require a chip recognizable by the car, then new crawlers do not require a key or an additional chip. The solution offered by lineman manufacturers is simple in elegance and extremely serious in implementation.

The ignition switches of modern cars are not just a power circuit switch, but complex electronic devices with a CAN bus and low-current digital circuits. Moreover, the keys have also undergone changes; you don’t need to rotate the key to start the engine, you just need to insert the key into a special receiver and use the special start/stop button. Therefore, it is sometimes not possible to bypass the standard immobilizer and start the engine in the traditional way. Modern chipless car engine starting modules can easily solve this problem.

Let's figure out how they work. The classic crawler worked at a high frequency, broadcasting a signal from a hidden chip at the right moment. However there is

another communication line into which an extraneous signal can be sent. This is the immobilizer - controller line. In some cars it is one wire; in many cars it is two wires for exchanging protocols. If you figure out the exchange protocol, all that remains is to send the right signal at the right time. To hack the protocol, the power of so-called “cloud services” is used - clusters of powerful computing systems that solve problems in a matter of minutes.

During the installation process, the crawler connects to the car twice: first to collect information, then - after connecting to the computer and decryption - finally, to function as part of the autostart complex. For example, for Ford cars, this solution allows you to refuse to use dealer equipment. For installation, one key is enough, which the owner has.

Another direction in the development of crawlers is their use in the “self-sufficient” mode of a separate installation (usually called “Stand-Along mode”). The electronics of modern cars often allow the use of CAN commands and/or low-current control pulses to start the engine. For example, Mitsubishi cars can be started using special CAN commands. In this case, the crawler needs to be connected only to the CAN bus. It's great isn't it!

There are also more complex combined connection schemes. For example, a crawler connected to data lines is complemented by a simultaneous connection to a CAN bus (or even simultaneously to two buses: engine and cabin). Sometimes, to start, it is necessary to simultaneously exchange data on all these lines; sometimes a connection to the CAN bus is required to unambiguously determine the car model (and may not be used in the future). As examples, we can refer to KIA and Nissan cars.

In the market of chipless crawlers and engine start modules, the leader is the Canadian company Fortin. Fortin modules allow you to bypass the standard immobilizer on almost all cars, and thanks to additional functionality, it provides simplicity and convenience for connecting external security systems and autostart modules.

As an example, I will list some devices from Fortin:

Fortin EVO-ALL (Chipless engine start module, Controller combining the functionality of a standard immobilizer bypass module and a CAN bus interface module. Supports 2570 car models)
Fortin KEY-OVERRIDE-ALL (Chipless engine start module - A universal controller that combines several standard immobilizer bypass modules in one housing. Supports more than 1000 car models. )
Fortin INT-BMW2 (Chipless engine start module - Interface module for universal connection of remote engine start systems to BMW and Mini Cooper cars. Applicable for any type of automatic and manual transmission. Does not require programming.)

Fortin EVO-RIDE (Chipless engine starting module - Specialized module for bypassing the standard immobilizer. Works with all 40-bit and 80-bit key encodings for Ford, Lincoln, Mercury, Jaguar, Mazda, Toyota, Lexus and Scion cars. Self-learning, available in the car does not require a key.)

Fortin EVO-CAN (Chipless engine start module - A controller that combines the functionality of a standard immobilizer bypass module and a CAN bus interface module. Thanks to the functionality, it provides simplicity and convenience for connecting external security systems and autostart modules.)
Fortin EVO-CHR (Chipless engine starting module An ALL-IN-ONE universal module that has the functionality of an ignition module with bypass of the standard immobilizer and a CAN bus interface. Compatible with almost all engine starting systems of Chrysler, Dodge and Jeep brands produced in the period 2004-2010. )

More details about Fortin can be found on the Fortin-Russia Project website.

What is it for?

It will be possible to deceive (bypass) the local security system if it is possible to sacrifice one of their keys. In this case, the key itself or its transponder is placed in the container (box) of the device and put away in a hidden place in the car.

When the alarm starts automatically, the immobilizer crawler transmits a message to the IMMO that the key is in the car. He, in turn, confirms the start command and the engine control unit performs the assigned function.

Unfortunately, it is not always possible to use an additional key. There may be several reasons:

a car with an alarm system is leased;
according to the leasing agreement, the second key must be kept by the legal owner of the car;
car purchased on credit;
the loan agreement obliges the debtor to hand over one of the keys to the creditor before repaying the debt;
a similar situation arises when concluding an insurance contract;
in this case, upon the occurrence of an insured event, both keys must be presented to the policyholder;
A similar situation with keys can arise when both copies should be on hand in the family or at work.

In this case, a keyless version of the immobilizer bypass is installed, allowing it to be retained by the alarm owner. True, the installation of equipment and alarms becomes more complicated, since a learning process for the device (immobilizer bypass module) will be required.

Do-it-yourself immobilizer crawler

Making a crawler yourself is not difficult. To do this, you will need a wire with a cross-section of 0.2 - 0.25 mm (It is better to use a thin transformer wire coated with varnish, but you can use another insulated wire), 12 V relay with normally open contacts, Spare key with a chip or just a chip removed from key

You need to make a coil for the ignition switch, make a coil for the key with a chip and connect these coils to the relay according to scheme B.

The coil for the lock can be made by winding the wire over the standard coil. The number of turns is from 10 to 50; it is better to select the number of turns in each case individually.

I liked the original method of making a coil on the civic-club.ru forum by member Z_Z_Z. We select a suitable cylindrical object with a diameter slightly larger than the ignition switch. The author used a roll of tape, a piece of electrical tape and transformer wire. If you hover your cursor over the picture you will see an explanation for this picture.

The result is a thin, compact ring that needs to be installed on the car's ignition switch. We make a coil for a key or chip by simply winding it directly onto the key or chip. The wire is the same as for the lock coil, the number of turns is 7-20. Secure it with electrical tape or other fasteners that do not destroy the varnish of the wire. Next, put everything together according to diagram B and hide the relay with the key/chip away. The immobilizer bypass is ready.

Using an additional key

This is the simplest and most inexpensive way when you can do without purchasing additional equipment. So, you can disable any type of alarm, even one that does not have its own bypass block, and everything can work perfectly.

A similar bypass method may be useful for a more modern vehicle model.

The most popular option for performing such a “change” is to simply attach or secure the key under the panel trim, in the place where the immobilizers work, so that it cannot be noticed. However, this method greatly reduces the safety of the vehicle.